Allow tdbi's to appear in mbufs throughout the stack; this allows

security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

1 files changed, 6 insertions, 4 deletions

diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 724a7b7ded5..2882091411c 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_output.c,v 1.3 2001/03/15 06:31:00 mickey Exp $ */
+/*	$OpenBSD: ipsec_output.c,v 1.4 2001/03/28 20:03:06 angelos Exp $ */
 
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -193,8 +193,9 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready)
 	    /* Fix IPv4 header checksum and length */
 	    if (af == AF_INET)
 	    {
-		if ((m = m_pullup(m, sizeof(struct ip))) == 0)
-		  return ENOBUFS;
+		if (m->m_len < sizeof(struct ip))
+		  if ((m = m_pullup(m, sizeof(struct ip))) == 0)
+		    return ENOBUFS;
 
 		ip = mtod(m, struct ip *);
 		ip->ip_len = htons(m->m_pkthdr.len);
@@ -207,7 +208,8 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready)
 	    /* Fix IPv6 header payload length */
 	    if (af == AF_INET6)
 	    {
-		if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0)
+		if (m->m_len < sizeof(struct ip6_hdr))
+		  if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == 0)
 		    return ENOBUFS;
 
 		if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) {